ardamax | dc75ef1d21c1a9142bbba198e70994cbddd99c225cf412050eb631097945d9fe | Triage

Sharing

General

Target

JaffaCakes118_21e1793bda9359a7a640cffb3d6cbeae
Size

335KB
Sample

250124-qqatrazqdv
MD5

21e1793bda9359a7a640cffb3d6cbeae
SHA1

37ef8139b1da119f25882877d71dea67af24a819
SHA256

dc75ef1d21c1a9142bbba198e70994cbddd99c225cf412050eb631097945d9fe
SHA512

7250fb905bcebc9f94e92ed55538f20bd347ce8bc94cbfe51be818680c369bcbea098faa4fa46230f93b48466751f36f0fdcf3be1309ad82e416093e702e6364
SSDEEP

6144:CG6oTXeBuJRVRC0STrGpAh7aiVeSPSoDLi7oC/7YxyEmnp8vT:CwXeB6fATap+hzP7mt5/n2

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Targets

- Target
  
  JaffaCakes118_21e1793bda9359a7a640cffb3d6cbeae
- Size
  
  335KB
- MD5
  
  21e1793bda9359a7a640cffb3d6cbeae
- SHA1
  
  37ef8139b1da119f25882877d71dea67af24a819
- SHA256
  
  dc75ef1d21c1a9142bbba198e70994cbddd99c225cf412050eb631097945d9fe
- SHA512
  
  7250fb905bcebc9f94e92ed55538f20bd347ce8bc94cbfe51be818680c369bcbea098faa4fa46230f93b48466751f36f0fdcf3be1309ad82e416093e702e6364
- SSDEEP
  
  6144:CG6oTXeBuJRVRC0STrGpAh7aiVeSPSoDLi7oC/7YxyEmnp8vT:CwXeB6fATap+hzP7mt5/n2
Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

behavioral2

ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer